Though some of the most damaging exposures of classified material have come from companies working for the federal government in recent years, the intelligence community’s 100,000 contractors overall “are kicking butt” in helping agencies head off insider threats, the nation’s top counterintelligence chief said on Monday.

Anticipating threats “is a team sport,” Bill Evanina, the government’s national counterintelligence executive, told a gathering of the Intelligence and National Security Alliance, a nonprofit group made up of contractors and former intelligence officials. “The only way to win is a partnership, a whole-of-government, whole-of-country approach” that includes contractors and the news media as well.

“We have to get back to patriotism,” he said.

Despite incidents involving National Security Agency contractors such as Edward Snowden and Howard Martin, “we need to eliminate with urgency the idea that most insider threats are contractors,” Evanina said. “There’s no evidence” either for that, he said, or for the common notion that “millennials want to be leakers.”

Discrepancies and deficiencies in the way various rules designate and govern covered defense information and controlled unclassified information can impact how contractors protect confidential government information.

In a white paper prepared by associate member Rogers Joseph O’Donnell, the IT Alliance for Public Sector looked at the scope, implementation, compliance tools and inconsistencies of regulatory constructs and requirements to safeguard federal data and information.

A new final rule four years in the making will amend the Federal Acquisition Regulations, or FAR, with new sections on the basic safeguarding of contractor information systems.

The rule, published on May 16, 2016 in the Federal Register and issued by the Defense Department, General Services Administration and NASA, will add a subpart and contract clause on contractor systems that process, store or transmit federal contract information, and calls on contractors to apply a minimum of 15 security control requirements.

This type of information is not intended for public release and excludes information that the government provides to the public or that is related to processing payments.

The focus of the rule is on a basic level of safeguarding, and contractors still have to comply with safeguarding requirements for protecting controlled unclassified information, or CUI. “Systems that contain classified information, or CUI, such as personally identifiable information, require more than the basic level of protection,” the rule stated.

Government contractors are in a difficult position when it comes to cybersecurity. Not only do they need to worry about cybersecurity issues that affect almost every company, but they also often house sensitive government data that can carry additional obligations.

Further, the very fact that they have access to this information, and their relationship to the U.S. government, makes them an attractive target for malicious efforts. Escalating these concerns, not only are contractors with sensitive information prime targets for standard hackers trying to prove their worth, but they are also in the cross-hairs for attacks sponsored by countries hostile to the United States or interested in obtaining technology otherwise prohibited to them.

The U.S. government recognizes this threat and has responded in two major ways. The first is to impose additional cybersecurity responsibilities on contractors who have access to sensitive data. While the goal of these additional obligations is to harden security to protect data, their parameters are not always apparent and can be easily misunderstood. Just identifying what a contractor is expected to do can be a challenge. The second element of the government’s approach is to assist in combating cyber attacks by offering to work with companies, including contractors, who find themselves victims. This help can be invaluable, especially for sophisticated and persistent state-sponsored cyber threats. It also raises additional issues, however, and many companies are justifiably suspicious of opening their information technology systems to the government.

In this Commentary, we highlight the aligned and competing priorities of the government and companies in this space. We discuss some of the main requirements imposed on contractors that go above and beyond those required of standard companies. We also delve into practical considerations for government contractors in this area and developing trends.

Private sector government contractors may soon be subjected to new rules for managing sensitive federal information.

The National Institute of Standards and Technology (NIST) recently published draft requirements for federal and nonfederal groups with access to “controlled unclassified information” — a subset of confidential information that, while not classified, must still be protected. The Commerce Department agency is accepting public comments on the draft until May 12, 2015.

These requirements are meant to supplement rules under the Federal Information Security Management Act, which governs how federal agencies (and contractors, on their behalf) manage their own data in their own information systems, according to NIST fellow Ron Ross.

The new guidance aims to cover situations not explicitly mentioned in FISMA — for instance, when state and local governments, colleges and universities, or private organizations happen to receive federal CUI data through a contract or an agreement.

A civilian defense contractor accused of giving military secrets to a Chinese girlfriend half his age will be entering a guilty plea, his attorney said Tuesday.

Benjamin Bishop was expected to plead guilty in federal court on Thursday to one count of transmitting national defense information to a person not entitled to receive it and one count of unlawfully retaining national defense documents and plans.

Bishop, 60, was arrested last March at the headquarters for the U.S. Pacific Command, where he worked.

A document for the plea agreement filed Tuesday said Bishop emailed his girlfriend classified information on joint training and planning sessions between the U.S. and South Korea.

It said Bishop had classified documents at his Hawaii home, including one titled “U.S. Department of Defense China Strategy,” another on U.S. force posture in Asia and the Pacific and a U.S. Pacific Command joint intelligence operations center special report.

A proposed rule more than two years in the making regarding contractor protections of unclassified defense information and intrusion reporting became final last Monday (Nov. 18, 2014) following publication of a final rule in the Federal Register.

The rule is smaller in scope than the proposed rule the Defense Department put forth in June 2011; it proposed controls for any data tagged with a “for official use only” or similar marker. The final rule only pertains to “unclassified controlled technical information,” which means technical data or computer software (as defined in the Defense Acquisition Regulation Supplement, section 252.227-7013).

It requires contractors and subcontractors storing or transiting that data to implement 51 security controls from the National Institute of Standards and Technology catalog, Special Publication 800-53 (.pdf), or provide a justification for the use of alternative controls or a case for the control’s inapplicability.